1. Expel Help Center
  2. Connect Your Technology
  3. SIEM Integrations
  4. Sumo Logic

Sumo Logic Cloud SIEM Enterprise Setup for Workbench

Quick Start

  1. Enable Console Access
  2. Generate API Credentials
  3. Configure the Technology in Workbench

Step 1: Enable Console Access

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech. For more information, see Why Expel Asks for Console Access.

  1. Sign in to the Sumo Logic CIP console to create a new user.

  2. Navigate to Administration > Users and Roles > Users and click the Add User button at the top right of the page.

    users_and_roles.png

  3. Fill in the below information.

    sumo-cloud-siem-screenshot-updated.png

    • For First Name, type Expel.

    • For Last Name, type SOC analysts.

    • For Email, type soc+<your_company_name>@expel.io.

      Note
      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Assigned Roles select the Analyst role.

    • Click Add New User.

  4. Verify that Expel SOC now appears on the Users page.

  5. Sign into Sumo Logic Cloud SIEM Enterprise console.

  6. Navigate to Accounts.

    accounts_cse.png

  7. Click Invite at the top right of the page.

    invite_cse.png

  8. Invite the Sumo Logic CIP user from step 1 with a role of Analyst.

    invite_users_cse.png

Step 2: Generate API Credentials

To integrate the technology with Workbench, we need to create secure credentials to the API.

  1. Edit the Sumo Logic Cloud SIEM Enterprise user created in Step 1.

  2. Select API Key Enabled.

    api_key_enabled_Cse.png

  3. Select YES, REGENERATE API KEY.

    regenerate_api_key_cse.png

  4. Click UPDATE and log out.

  5. Log back into Sumo Logic Cloud SIEM Enterprise console with the new user created in Step 1.

  6. Click the user profile at the top right of the page.

    profile_cse.png

  7. Copy API Key and make note of it.

    copy_api_key_cse.png

Step 3: Configure the Technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Log in to Workbench.

  2. In the side menu, navigate to Organization Settings > Security Devices.

  3. Select Add Security Device.

  4. Sn the search box, type "Sumo Logic" for and select Sumo Logic Cloud SIEM Enterprise (formerly JASK).
    Screenshot 2025-04-22 at 5.41.12 PM.png

  5. A configuration pane displays. Complete the fields as follows:

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Sumo Cloud SIEM Enterprise”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example, “cloud.” This is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Username - enter the username used to authenticate to the device.
    • Password - enter the password used to authenticate to the device.

    • Server address - provide the Sumo Logic Cloud SIEM Enterprise URL.

    • Sumologic query indices - leave this field blank.

  6. Select Save.

Your device should be created successfully within a few seconds. A few reminders:

  • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
  • To check on the status, select the downward arrow for your device in the first column and choose View details.
  • Polling will happen first; data will be received after that. You must refresh the page to see updates.
  • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
  • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check, and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles